(12731/1995) 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: IMMEDIATE 


Date: 07/10/1997 


To : Tampa 


Attn: SSA 


From: Salt Lake City 

Boise RA 
Contact: SA 


, (208) 344-7843 


Approved By: 


Drafted By: 


Case ID #: 9A-SU-NEW/(Pending) ( 

TiHe* PTTT.fp ni? niHT? nnui ♦ _ 


,00 


Title: CULT OF THE DEAD COW; ^ 

MICRON/ELECTRONICS - VICTIM 
EXTORTION 


Synopsis: Document complaint received from] 

Electronics, Boise, Idaho. 


Micron 


Details: On 07/10/1997, Micron Electronics, 

contacted the FBI, Boise) Idaho, regarding an ext ortion message 

left on a recorder at Micron Electronics. _advised a female 

with a middle eastern accent left a message stating, “This is 
fiber optics in the Cult of the Dead Cow. I want $5,000.00 cash 
or I wi ll crash your systems with (ah) a tre mendous virus. 

Later.” I I advised a n employee at Micron, | 

was searching the system to determine if 
tne origination number could be found on the 1-800 line on which 
the Cult of the Dead Cow contacted Micron. 


was contacted directly and advised FBI, 
Boise, t hat the call ca me in from 813-757-5951, Plant City, 

Florida. _ further advised that the call was received 

at 11:09 p.m., on 07/09/1997, at the Micron Electronics, Inc., 
Nampa, Idaho. She advised that the call could be identified at 
extension 3636 at the 813-757-5951 number. 


SSRA spoke with thej 

Micron Electronics and found there was no additional call 
providing instructions to Micron Electronics for the delivery of 
the $5,000.00. 


In the event no additional call is made to Micron 
Electronics with instructions for delivery of the $5,000.00, 
Tampa Division will be requested to contact the individual or 
individuals listed at the number and specific extension. 
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To: Tampa From: Salt Lake City 

Re: 9A-SU-NEW, 07/10/1997 



LEAD (S): 
Set Lead 1: 


TAMPA 


AT PLANT CITY. FL 


Determine subscriber information for Plant City, 
Florida, number 813-757-5951, extension 3636, and thereafter hold 
additional information in abeyance pending notification by Salt 
Lake City Division. 


Results of the invp stiaation may be forwarde d directly 


to the Boise RA, attention: SA 
additional information cont 
directly, (208) 344-7843. 


1“ 



sa| 


at tne Boise 


For any 
RA 


b6 

b7C 


♦ ♦ 
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b6 

b7C 




/> 

. 9A-S U-47237 

T he following investigation was conducted by I.A. 
on 7/14/97: 


Contact with the General Telephone Company revealed that 
telephone number 813-757-5951 is listed to Texaco #114 3700 Paul 
Buckman Road (SR39) Plant City, Florida. This is a business 
line. 








(12/31/1995) 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE 

To: -"^alt Lake City 


From: Tampa 

Squad 4 
Contact: I.A. 

a 


Date: 07/16/1997 


Attn: Boise RA 


SAJ 


208-344-7843 


b6 

b7C 


Approved By| 

Drafted By 

Case ID #: 9A-SU-4723 7' 2 * (Pending) 

Title: CULT OF THE DEAD COW; 

MICRON ELECTRONICS - VICTIM 
EXTORTION 

Synopsis: Subscriber information requested. 

Reference: 9A-SU-47237 Serial 1 

Encl psnres ! • Oricrina] and one copy of investigative insert of 
I ‘ 


inclas 

•A-L 


b6 

b7C 


Details: Subscriber information requested is attached. 

Investigation being held in abeyance. 


♦ ♦ 






(12/31/1995) 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE 

To: *<Salt Lake City 


Date: 10/03/1997 


Attn: 

BOLSE_RA_ 


saI 




. 208-344-7843 


From: Tampa 

Squad 4 
Contact: I.A. 


Approved H 


Drafted By: 

Case ID #: 9A-SU-47237 - ^ 

Title: CULT OF THE DEAD COW; 

MICRON ELECTRONICS - VICTIM 
EXTORTION 


b6 

b7C 


Synopsis: Information regarding telephone number 813-757-5951 

Details: Contact with the Security Department of General 

Telephone revealed that telephone number 813-757-5951 is a pay 
station subscribed to by Texaco #114, 3700 Paul Buckman Road 
(SR39) Plant City, Florida. 


♦ ♦ 
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(12/31/1995) 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: 
To : Tampa 


ROUTINE 


Date: 10/20/1997 


Attn: SSA 


From: Salt Lake City 


Boise RA 
Contact : SA 


Approved By: 




(208) 344-7843 


b6 

b7C 


Drafted By: 

Case ID #: 9A-SU-47237 (Pending) 


Title: CULT OF THE DEAD COW; 

MICRON ELECTRONICS - VICTIM; 
EXTORTION 


SA 


Synopsi s : Document telcall to Tampa Division, SSA j --, 

I frnm Sa lt Lake City Division, Boise Resident Agency, 
[on 09/30/97. 


b6 

b7C 


Details: The purpose of this communication is to document 

information provided to Tampa Division from Salt Lake City 
Division, Boise Resident Agency regarding the Cult of the Dead 
Cow. Micron Electronics has not received any additional 
extortion threats over the phone from Florida. 

Salt Lake City Division received subscriber information 
for telephone number (813) 757-5951 The communication listed 
the subscriber at Texaco #114, 3700 Paul Buckman Road (SR 39), 
Plant City, Florida. This number was listed as a business line. 











To: Tampa From:^^Salt Lake City 
Re: 9A-SU-47237, 10/20/1997 

LEAD (s) : 

Set Lead Is 

TAMPA 



AT PLANT CITY. FL 


Contact subscriber for telephone number (813) 757-5951 
at address Texaco #114, 3700 Paul Buckman Road (SR 39), Plant 
City, Florida. Attempt to determine identity of caller who made 
the extortion threat to Micron Electronics in Boise, Idaho. In 
the event the individual caller is unable to be identified, 
advise the office manager or person in charge of the nature of 
the call and reveal that Micron Electronics has a tape recording 
of the extortion threat. Further emphasize that should 
additional calls be generated from that subscriber, the U.S. 
Attorney will be contacted to proceed with prosecution in this 
matter. 


Results of the above lead may be forwarded directly to 
Salt Lake City Division. Boise Resident Agency, attention b6 

_ b7C 


♦ ♦ 
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(12/31/1995) 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE 

To: Salt Lake City 


Date: 12/03/1997 


Attn: SAC 


From: 


-Boise RA 

Approved By: 
Drafted By: 


b6 

b7C 


Case ID #: 9A-SU-47237 


(Closed) 


Title: CULT OF THE DEAD COW; 

MICRON ELECTRONICS - VICTIM 
EXTORTION 

gyring-is: _ Document co ntact with Micron Electronics 

’ and, close of investigation. 


Details; 


was contacted at 7 7 vu r 

vt '— T fTnho. reqarding the outcome of the lead sent to FBI, 

Tampa ' ^ ‘“Iwas advised Tampa Division conducted a subscriber 

i amp a • _ , .uv, ^ t vv», Mirrnn Electronics, 


b6 

b7C 


Tamna was advised Tampa uivibiun - —~ — 

search on the number provided to the FBI by Micron Electronics, 

(813) 757-5951, and determined the telephone :PaSl ? 

belenhone at Texaco Station Number 114. located at 3700?f. . 

telephone at iexaco advised no . addit i o nal 


was 


Buckman Road, Plant city, Florida.)_ MyljMjd no 

extortion calls had been made to Micron Electronics. ,— j 

advised°that should additional extortion calls be reciTvS^Y 
Micron Electronics he could contact the Boise FBI Office. 

In view of the fact the Tampa Division lead was 
covered, Micron Electronics has received no additional extorti 
calls, and there is no additional investigative activity 
required, this matter will be considered closed. 


♦ ♦ 
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( 01 / 26 / 1998 ) 


ALL INFORMATION CONTAINED 

HEREIN IS UNCLASSIFIED 

nATE 08-05-2014 BY J36J55T41/HSICG 


FEDERAL BUREAU OF INVESTIGATION 

Precedence: ROUTINE* Date: 10/25/1999 

To: Criminal Investigative Attn: IRU-1. SSA 

National Security Attn: [ I 


IRU-l 

. SSA 





From: Moscow 

Contact: ALA 1 ] 


011-7-095-956-4408/10 fax 


Approved By: 

Drafted By: 

Case ID #: :.63H-MC-467 (Pending) 

Title: CULT OF THE DEAD COW 

FPC-WCC 

^Synopsis: Request information on subject. 
Details ^ 













4 










To: 
Re: 




Criminal Investigative From: 
163H-MC-467, 10/25/1999 


Moscow 


LEAD (s): 

Set Lead 1: (Adm) 

CRIMINAL INVESTIGATIVE 
AT WASHINGTON. DC 
Read and clear. 

Set Lead 2: 

NATIONAL SECURITY 
AT NIPC 

-Provide information suitable for dissemination to 

about the Cult of the Dead Cow hacker group. ~ 

- 3 ^ b7D 


♦ ♦ 


2 
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FEDERAL BUREAU OF INVESTIGATION 



Precedence: ROUTINE ' 


Date: 12/14/1998 


To: ; NSD 


Attn: 



UC 



b7E 

b6 

b7C 


From:; 


A tlanta _ 

Contact: 


(404)679-6456 


b7E 


Approved By: Daulton Jack A 


Drafted By: 


b6 

b7C 


Case ID #: 288A-AT- (Pending) 

Title : UNSUB(S), yaka; 

DETH VEGETABLE; 

NET NINJA; \ 

dba CULT OF\HE DEAD COW (CDC) ; 
MINDSPRING ENTERPRISES/ 

1430 PEACHTRE\ST.,- 
ATLANTA, GA., &309 - VICTIM; 

INTRUSION - INF^SYSTEMS; 

IDENTITY THEFT; \ 

CONSPIRACY \ 

Synopsis:; To open an assign captioned matter. 


Details: On 11/10/1998/ the Atlanta division hosted a conference 
on Computer Fraud and Economic Espionage Investigations. In 
attendance were security representatives from Mindspring 
Enterprises, Inc. (Mindspring). Mindspring advised at that time 
that they were encountering a new Trojan horse program known as 
'BACK ORIFICE' (BO). Mindspring advised that innocent 
subscribers to Mindspring were being inadvertently infected with 
the BO program, and that the UNSUB(s) who were exploiting the 
victim's computers were using the victim's electronic user 
identification (userid) and password to illegally access 
Mindspring and thereby the Internet using fictitious 
identification.; 


Back Orifice is a take-off of 
.Office. Back Office is a suite 



the Microsoft, Inc., name 
of software used to 





b6 

b7C 








To: NSD From:- Atlanta 
Re: : 28 8A-AT-, 12/14/1998 



operate and control server class computers. Back Orifice was 
published'for free download and use by a group known as the "Cult 
of the Dead Cow" (CDC) from their Internet .web site at 
<http://www.cultdeadcow.com>.; CDC claims to have previously 
gained access or "hacked" into US Government computers including 
Department of Defense computer systems. CDC claims to have been 
in existence since 'the mid 1980's. On 8/3/1998, CDC released the 
BO program for download from it's web site. CDC advises that; BO' 
is a "remote administration tool" for Windows 95/98/NT, however 
the information released with BO clearly indicates that BO is a 
"hacker" tool. Once installed, BO allows unauthorized users to 
execute privileged operations on the affected computer, whether 
over a local area network (lan) or over the internet. 


As early as three days after the release of BO, 
computer security groups such as CERT and Internet Security 
Systems, Inc.,-‘began issuing advisories on the dangers of the BO 
program. In November 1998, Mindspring advised that they were 
seeing approximately two BO intrusions every day. Information, 
available through CERT <http://www.cert.org> ’indicates that tens 
of thousands of computers may be infected. Information has been 
developed that many of the affected computers send Internet 
messages to servers used by CDC to alert the UNSUB(s) that the 
infected computer is currently available for illegal access. 

On 12/11/98, Mindspring advised that an Internet web 
site with an address of <http://www.bobastard.com> was publishing 
userids and passwords of BO infected customers of Mindspring. 
Mindspring security provided the information via e-mail to the 
Atlanta office. 


The investigative strategy for this matter will be to 
collect information on the nature and scope of CDC, with an 
intent to prosecute for violations of T18 sec 1030 (Computer 
Intrusions), T18 seo 1028 ( Identi ty Theft), and T18 sec 371 


(Conspiracy). To this end, 
a Group II UCOJl 


Agents in Atlanta will undertake 


b7E 


2 




Tor NSD From:'- Atlanta 
Re: 288A-AT-V 12/14/1998 


ie proposec 


L2/14/98, Agents from the | 1 group met with AUSA 
J Northern District of Georgia, who was advised of 
investigation and strategy. AUSA. stated that 'there 


did not appear to be an entrapment issue, and he concurred with 
the investigative strategy. 

















01/07^99 

'13:01:50 


FD-192 


ICMIPRO1 
'Page 1 


Title and Character of Case: 


VEGETABLE, DETH 
NINJA, NET 


Date Property Acquired: _ Source from which Pr operty Acquired:; 
12/18/1998 


b6 

b7C 


Anticipated Disposition: Acquired Rv; 

Description of Property: 

IB 1 

ONE OPTICAL DISK 

Barcode:; E1622226 Location:; ECR CAB1 


rage flqenf 


Date Entered 


01/07/1999 


Evidence —by S/(_ 

On - SEE IAv*2 


-AT- SP//3 / 


Case Number: 288A-AT-87389-1B 
Owning Office:. ATLANTA 

FD-192 ORIGINAL FD-192 

INVESTIGATIVE LOCATED IN SFIB 

FILE COPY t MAINTAINED IN ECU 



SEARCH5_INDEXED. 

SERIALIZED_FtLED. 


ov;;: i i is39 

FGI-ATLANTA 


V 










(oihinm) 


federal bureau of investigation 


Precedence: ROUTINE 


"To: Atlanta 
From: Atlanta 
Approved' By: Dauj 


Date: 12/29/98 
tn: Evidence Technician 




Drafted By: 

Case ID 288A-AT-87389 (Pending )—''-I 

Title: DETH VEGETABLE; 

NET NINJA; 

CITA MATTERS 

Control S Room° rep ° rt dela y ed entry of evidence into the Evidence 

computer belonging^ol “ ^ "* 1 — 

oisr C ?o S f‘ ThC °P taca ' 1 , alsK containing Che image was turned 

that fimo hlS r. Wr ^ ter ».£ n 12 / 18 / 98 - It has been in my custody since 
During that time I have been looking for a media 
(hard drive) large enough to restore the image. 


fci/6/ 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE 


Date: 12/14/1998 


To: NSD. 


Attn: 


T7CI 


b7E 

b6 

b7C 


From: At lanta 


Contact :< 

Approved By: _ Daulton Jack A 


.(404)679-6456 


2- 


Drafted By: 


Case ID U: 288A-AT-87389V^(Pending) 


Title:' :UNSUB(S), aka; 

DETH VEGETABLE;' 

NET NINJA; 

dba CULT OF THE DEAD COW (CDC) ;' 
'MINDSPRING ENTERPRISES, 

1430 PEACHTREE ST., 

ATLANTA, GA.-, ,30309 VICTIM; 
INTRUSION INFO ; SYSTEMS; 
IDENTITY THEFT; 

'CONSPIRACY 


b7E 


b6 

b7C 


Synopsis: 


To,- advise, the 


of a new investigation. 


Details: ^ On ll/lb/1998,,-the Atlanta division hosted a conference 
on Computer Fraud and Economic Espionage Investigations. In. 
attendance were security representatives from Mindspring 
Enterprises,, Inc. (Mindspring). Mindspring advised at that time 
that they were encountering :a new Trojan horse program known as 
"BACK ORIFICE' (BO). Mindspring advised that innocent 
subscribers to Mindspring were being inadvertently infected with 
the; BO program; and that the UNSUB (s) who were, exploiting the 
victim’s computers were using the victim's electronic user 
identification (userid) and password to illegally access 
Mindspring and thereby the Internet using fictitious 
identification. 


b7E 


Back Orifice is a take-off of the Microsoft,. Inc.,, name 
of Back Office.-. Back; Office is a suite; of software, used’ to 
operate and* control server class -computers.; Back Orifice was 
published for free download and use by a group known as the "Cult 
of the Dead Cow' (CDC) from their' Internet, web site at 
<http://www. cultdeadcow.com>.; CDC. claims to have previously 


SEARCHED, 

SECAUZEI 




■JDEXED. 

IE0_ 


211998 


F6l - ATtANfA] 







To: NSD From:' Atlanta 
Re : : 2 88A-AT- 87389 

12/14/1998 



gained access or hacked into US Government computers including 
Department of Defense computer systems. CDC claims to have been 
in existence since the. mid 1980's. : On 8/3/1998/ CDC released the 
BO program for download from it's web site.: CDC advises that BO 
is a remote administration tool for Windows 95/98/NT, however the 
information released with BO clearly indicates that. BO is a 
hacker tool.- Once installed, 'BO allows unauthorized users to 
execute privileged operations on the affected computer, whether 
over a local area network (lan) or over the Internet.; 


As early as three days after the release of. BO, 
computer security groups such as CERT and Internet. Security 
Systems, Inc., began issuing advisories; on the dangers of the; BO 
program.. In November 1998, Mindspring advised that they were 
Seeing approximately two BO intrusions every day.; Information 
available through CERT <http://www.cert.org> indicates that; tens 
of thousands of computers may be infected. Information has been 
developed that many of the affected computers send Internet; 
messages to servers used by' CDC to alert the UNSUB(s) that the 
infected computer is currently available for illegal access.; 

On 12/11/98, Mindspring advised that an Internet web 
site with ah address of <http://www.bobastard.com> was publishing 
userids and passwords of BO infected customers of Mindspring.; 
Mindspring security provided the. information via e-mail to the 
Atlanta office. 

The investigative strategy for' this matter will be to 
collect information ori the nature and scope of CDC, with an 
intent, to prosecute for violations of T18 sec 1030 (Computer 



On 12 /14/98, Agents from the 


Igroup met with AUSA 

Northern District of Georgia, y/ho was acfo ised of 


tne. proposed investigation and strategy. AUSA[ 


stated 


that there did not appear to be; an entrapment issue, and he 
concurred with the investigative strategy.; 


b7E 

b6 

b7C 
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To: NSD From: Atlanta 
Re: 2 8 8A-AT- 873 8 9 
12/14/1998 


In order to expe 


ditiouslv address this matter, Atlanta 
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FEDERAL BUREAU OF INVESTIGATION 


Date o f transcription 12/21/98 


SAj_____J. .Computer .Analysis Response Team 

(CART) field examiner, conducted an examination as outlined- 
below.. The examination was done following the procedures and 
using the tools provided by the FBI Laboratory. 


b6 

b7C 


A generic minitower, no serial number, wa s made 
available for examination.- This system belonged to[ 

J and was examined at; his residence .: Tne system 
T.5" diskette drive and a CD drive< The system also 

installed. 


contained a 
had an internal modem.card 


b6 

b7C 


The following items were accomplished to this, system:; 

Write Protect Hard Drive 
Image Hard Drive 

At the conclusio n of the e xamination, the computer 
remained, in the custody of ] CART notes and 

documentation were placed in Atlanta’s Evidence Control .Room. 


investigationo& 12/17/98 _»t Lawrenceville, Georgia _ . 

File* 288A-AT-87389 _ _ Date dictated 12/21/98 

by SA _ 

This document contains neither recommendations nor condusSoas of the FBI. It is the property of the FBI and is loaned to your agency; 

' it and its contents are nc< to be distributed outside your agency. 





FD-320 (Rev. 4-11-86) 


In Reply, Please Refer to • 

FUeNo. _288-AT-87560 



FBI CASE STATUS FORM 


Date:0l/22/l99S> 


To: 


From: 


RE: 


Honorable: Richard H. Deane, Jr.-, 75 Spring Street, Atlanta, GA. 30335 


SAC Jack A. Daulton 


(Name *nd Address of USA) 


(Name of Official in Charge and Field Division) 


UNSUB.: -- BELLSOUTH. NET-VICTIM: 



cJl a 


(Signature of Official in Charge) 


b6 

b7C 


(Name of Subject) 

AUSA 

You are hereby advised of action authorized by _ 


Age 


Sex 


SA 


on information submitted by Special Agent 


rNime nfll.SA or AUSA) 


b6 

"b7C 


1/25/99 


on 


(Name) 


(Date) 


X 

(Check One) 


□ Request further investigation 

□ Immediate declination 

□ Filing of complaint 

□ Presentation to Federal Grand Jury 

□ Filing of information 
Q Other 

For violation of Tide ^_ USC. Sectioo(s) 1030 (a) (5) 


Synopsis of case: BellSouth.net has reported a denial of’ service, attack 

affecting one of. their clients, AmSouth Bank causing as yet a 
Undetermined amount of money'.; The attacks came through UUNET and 
Cable. Wireless and both ISP's are; aware of the attack. 


AUSA 

this would be a 
would prosecute. 


was advised and he stated, if. proven, 
violation if. Title 18,.-. Section 1030, for which he 


,2-US ATTORNEY’S OFFICE 
^28 8-AT-8756 0 

i-sa| 


b6 

b7C 









FD-320 (Rev. 4-11-86) 


In Reply, Please Refer to 

RleNo. _288-AT-87560 


FBI CASE STATUS FORM 


D«c;0l/22/l999 


Honorable Richard H. : Deane, Jr., 75' Spring Street, Atlanta, GA. 30335 


To: 


From: 


RE: 


SAC Jack A. Daulton 


(Name m3 Addre ss of USA) 


(Name of Official in Charge and Field Division) 


(ugawre ojjjir 


TO in Cl^rgc) 


UNSUB. 


BELLSOUTH. NET-VICTIM 


(Name of Subject) 

AUSA 

You are hereby advised of action authorized by _ 


Age 


Sex 


b6 

-b7C 


SAJ 


on information submitted by Special Agent 


.flfaar.nfllSA or AUSA) 


1/25/99 


on 


(Name) 


(Date) 


x; 

(Check One) 


□ Request further investigation 

□ Immediate declination 

□ Filing of complaint 

□ Presentation to Federal Grand Jury 

□ Filing of information 
0 Other 

For violation of Tide 18_. USC, Sections) 1030 (a) (5) 


Synopsis of case: BellSouth.net has reported a denial of service attack 

affecting one of their clients, AmSouth Bank causing as yet : a 
undetermined amount of money. The attacks came through UUNETand 
Cable Wireless and/both ISP' s are aware of the attack. 


AUSA[ 

this would be a violation 
would prosecute. 


was advised and. he stated, if proven, 
if Title 18, Section 1030, for which he 


2-US ATTORNEY’S OFFICE 
($>288-AT-87560 

i-s 4ZZT 
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FEDERAL BUREAU OF INVESTIGATION 


12/29/98 


Date of transcription 


residence . 


1 was contact ed at his 


jis a wi 

employed at| 

I WT, 

J J the i 




.e. dob f 


_L 


ssan 


Jhtt 


Ion 12/17 /98. 

I- a rid, is 

l phone 

|_ | y _ ■> . . 


_. |was advised of the 

identity of the interv iewing Age nt and the nature 1 of the 1 


interview. Thereafter 


Jprovided the following. 


is a subscriber to MindSpring, E nterprises 


Inc.(MindSpring), internet service provider- (ISP) 


.. .. _=} 

has only one computer,' noticed on the last .two bills from 

If J ' • I* J _1 ■ S r _ ■ 1 A __• ** ' mi 


l Em 

>) -L 

>ill£ 


who 


MindSpring that he was billed for simultaneous logons. This 
would .indicate that more than one computer was using .the same 
user id .a nd password to access MindSpring at the same time. 

| 1 also stated tha t his month ly usage went from about 150 

hours.to over 600 hou rs. I I could not account for these 

changes in ISP usage. I [ notified MindSpring about the 

unUsual bills: |was notified by MindSpring that his 

computer may have possibly been infected with a Troian horse 
program known as'Back Orifice;' MindSpring' also advise d 
that he should contact the interview Agent. |_ 
contacted the; interviewing Agent and a time was set for an 
interview. 


then 


another Agent'coul 
drive 


]jwas asked if the interviewing Agent and 


make an image of,_ 

in order to determine if, in fact. 


been infected' with .the Back Orifice program. I 
FD-26' Consent to Search form. A search of the files on 


£ 

Icompu ter hard 

Icomp uter had 


executed a 


wh ich is an in d 

of I _j computer hard drive was made and kept for 

evident iary purposes . No phys ical items were removed from 

I m i I__ i • 1 3 _ J j ‘ 


computer disclosed a file with the- name windll.dll 
dication of a Back Orifice program. An image copy 


h jc-£-- 

Jcustody.'. 


was 


also advised to immediately 
implement MindSpring’ instructions to remove the Back Orifice 
programl • ..‘ 

•• • ■ >• , 

. At this point the -interview was terminated. 


b6 

b7C 


b6 

b7C 


b6 

b7C 


investigation on . 12/17/98., 1 - u Lawrenceville, Ga. 


■ Ffc ,288A-AT-87389 =31- 


Date dictated 12/29/98 


by 


b6 

b7C 


, i | l 

This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency: 
it and its contents are not to be distributed outside'your agency. 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE 
To: National Security' 


Date: 1/27/99 


Attn: 




SSA 
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From: Atlanta 


Contact: | 


(404)679-6456. 


Approved By: Paul ton Jack A -r. 




Drafted By: 


-A 


Case ID #: /288A-AT-87389^ TPending) 


$ 
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Title:' UNSUB(S), aka; 

dba Cult of the Dead Cow (CDC); 
MINDSPRING ENTERPRISES, 

1430 PEACTREE ST.-, 

ATLANTA, GA. 30309 -- VICTIM 
INTRUSION - INFO SYSTEMS 
IDNETITY THEFT 
CONSPIRACY 


Syn opsis: Request for equipme nt, as 

SSA and SA 


on 12722798. 


discuss ed in telca ll between 


Atlanta 


b6 
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b7E 


Details: Captioned investigation was; opened 12/14/1998, at; 
Atlanta based on information from MINDSPRING that; CDC had 
published for free a hacker program known, as; Back; Orifice; (BO) . 
MINDSPRING alerted customers to the BO Trojan horse virus.; 
MINDSPRING has documented over sixty (60) BO attacks since August 
1998 when the; BO program was released.; 


Agents from the Atlanta office succeded in. locating a 
MINDSPRING subscriber victim who agreed to a consent; search of. 
the; victims computer and hard drive. Atlanta Agents located a 
file (windll.dll) on the. victims computer that, is indicative of a 
BO intrusion. Windll.dll is alledged to control; keystroke 
logging for the hacker.; Atlanta, also, obtained an image of the 
victim’s 4.5GB hard disk. AUSA Northern District of 

Georgia, has advised that; he will consider prosecution and. that 
he. concurs with the investigative; strategy.- 
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TELEPHONE CALL REPORT 



X J SPEECH WAS: 

Clear^/Rational Slow Fast Soft Loud Nasal Lisp Stutter 

Rambling Confused Intoxicated Disguised Distressed Laughing 
• I 

Threatening Calm Excited Crying Angry /i/wV , 


J j . / 


ACCENT • UeSe (rtjteMi) F oreig n 

'Is this person a repeat Caller? 'Yes (^NcT) If Yes When?_____ 

What has He/She called about? 

• r ^ . 1 v '• 

Chech as Appropriate: , *** 

_ r 'vll‘*v fne*?c yi.t>v^.r'».r'.t C aller Wanted to .report a crime 

_Caller asked about FBI employment* 

___Caller referred to other Federal Agency:_ 

_ C aller referred to local agency/Police;_ 

__Caller requested an FBI call back at (ti me/date) 

. "“OPY of. this report forwarded to ^Supervisor or Invest.Asst_ —b7E 


Jft 


ANSWER TELEPHONE: "FBI, HAY I HELP YOU 7" 

BE CQURIEQVS AND PROFESSIONAL AT ALL TIMES 

s- jarrt ix Oa il 

1 / ,/ z tl], cu<* 'L-* CatctfW M 


ri 0 U^t co/y * * A* 

WjcAti/y /' ' Anl ^ ^,'T.T C ^^ v ~ 













\ 

r* 


p&n- At- 










rO-JJJ fuppIcMSt 
forward to wait 2 IAS 


DATE I 


hifaq 


TELEPHONE CALL REPORT 


TI M E /):4Q a m/m. 


PERSON RECEIVING CALL: 


Based on your best judgement and experience hearing the spoken word 
fill out the caller profile:' (circiV *s *ppzoprt*to) 


P 


b7E 
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£222 

< /PCale~^ > 

Female 


&q a-P. a nd 




Child Teenage 
Younc^ Adult 
M atHre AdultJ > 
” lderly 


Ethnic_Origin 

< /$hite ) Black. Hispanic Oriental Middle East 
Indian/Pakistan Undetermined 


CALLER'S N ^ME (TF PROVIDED) 
TELEPHONE 




Address^ 
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GENERAL TEXT OF , ~ - 

CALL: ///> 

yiz '/&u/ jo,? y>uy/// sz-c rY >i^*s: 

)//^r y£*. CzZ-j //£&&&y4stsfo 6+**/ rggrV^/ - , 


SPEECH WAS: 

'Clear) Rational Slow Fast Soft Loud Nasal Lisp 
Rambling Confused Intoxicated Disguised Distressed 
Threatening Calm Excited Crying Angry 


Stutter 

Laughing 


Foreign 


ACCENT: ^uTsp (r. 3 ioMl)_ 

T > *:hi e - nerson a repeat Caller? Yes /No/ If Yes When?_ 

v '-^ How Often?_, J 

u~j\. r>as* hwShe caiiea aoom.' 


Cbac.k as Appropriate: 

VC aller requested to speak with Agent -^C aller wanted to report a crime 
_Caller asked about FBI employment.; 

_Caller referred to other Federal Agency:_ 

_Caller referred to local agency/Police:__ 

_Caller requested an FBI call bark at ftiTnp/riafg)_ 

"opy of this report forwarded tol (Supervisor or Invest.Asst_ 

oM/nT 


i=r 

ANSWER. TELEPHONE: '-FBI, MAY I HELP YOU?/'’ 

Bb COURTEOUS AND PROFESSIONAL AT ALL TIMES 
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Case ID #: 288A-AT-87389 (Pending) 


Title: UNSUB(S), AKA; 

DETH VEGETABLE; 

NET NINJA 

DBA CULT OF THE DEAD COW (CDC); 

MINDSPRING ENTERPRISES VICTIM; 

INTRUSION INFO"SYSTEMS 
IDENTITY THEFT; 

CONSPIRACY 

, ^Synopsis: To close captioned matter.: 

.Details: Due to the retirement of the case Agent it is 
; recommended that this investigation be closed.: In the event 

• that a decision, is made to.continue with the investigation, the 
following course of action would seem logical.: 








* •• 


To: 
Re: 


Atlanta From: 
288A-AT-87389, 


Atlanta 

05/28/1999 



Without available, trained; Agent, resources captioned 
matter should be closed.; 
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♦ ♦ 
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FM DIRECTOR -FBI (288-HQ-1234199) 

TO ALL FBI FIELD OFFICES/.IMMEDIATE/ 
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UNCLAS E F T 0 FOR OFFICIAL USE ONLY 
SECTION ONE OF THREE SECTIONS 
CITE: //1301// 

PASS: NIC WARNING STAFF TO NATIONAL WARNING COMMUNITY; JTF-CND 
APPROPRIATE DOD FACILITIES, SERVICE COMPONENTS AND TARGET 
LOCATIONS; | 

SUBJECT:- " 

GROUP IN EXISTENCE SINCE 1984) RELEASED A PRODUCT CALLED QUOTE 
BACK ORIFICE UNQUOTE AT LAST YEAR'S DEFCON VI HACKER CONVENTION. 
CDC HAS ANNOUNCED PLANS TO RELEASE A NEW VERSION OF BACK ORIFICE 
(BACK ORIFICE 2000) ON JULY 10TH AT THE DEFCON VII CONVENTION 
LAS VEGAS. THE PRODUCT WILL BE MADE AVAILABLE AS A FREE DOWNLOAD 
ON THAT DATE. 

2. (U) THE ORIGINAL 1998 RELEASE OF BACK ORIFICE INCLUDED THE 
FOLLOWING CAPABILITIES :- 

A- RETRIEVAL OF SYSTEM INFORMATION INCLUDING CURRENT USER, CPU 
TYPE, WINDOWS VERSION, MEMORY USAGE, MOUNTED DISKS AND DRIVE 
INFORMATION, SCREENSAVER PASSWORD, AND PASSWORDS CACHED BY USERS 
(DIAL-UPS, WEB AND NETWORK ACCESS, ETC). 

B. FILE SYSTEM CONTROL:- COPY, RENAME, DELETE, VIEW, SEARCH, 



FBI -ATLANTA 






PAGE SIX DE RUCNFB 0063 USCLAS E F T O ^ 

COMPRESS, AND DECOMPRESS FILES.: 

‘C•: PROCESS CONTROL i LIST, SPAWN, KILL. 

D. REGISTRY CONTROL.-; LIST, CREATE, DELETE, SET KEYS AND VALUES. 

E. - NETWORK CONTROL.. 

,'F.: MULTIMEDIA; CONTROL (INCLUDING SCREEN CAPTURE) .; 

G. PACKET REDIRECTION AND ‘SNIFFING*.. 

H. - APPLICATION REDIRECTION- '(SPAWN, MOST APPLICATIONS ON A. SPECIFIC 
PORT,.-SUCH AS TELNET) .; 

I. : HTTP SERVER (UPLOAD AND DOWNLOAD FILES) .; 

J. 'RUNS ON START-UP WITH NO. ENTRY IN THE TASK. LIST.. 

3.. : (U) BACK. ORIFICE 2000 WILL REPORTEDLY INCLUDE SEVERAL FEATURES 
NOT FOUND IN THE ORIGINAL VERSION, INCLUDING WINDOWS-NT 
COMPATIBILITY (THE ORIGINAL -PROGRAM ONLY WORKED ON WINDOWS 
‘95/98), OPEN PLUG-IN ARCHITECTURE FOR 3RD PARTY ADD-ONS, STRONG 
CRYPTOGRAPHY, 'AND OPEN SOURCE CODE AVAILABLE UNDER GNU PUBLIC 
LICENSE., 

4.. (U) ASSESSMENT 

A.. (FOUO). BACK ORIFICE 2000 WINDOWS NT COMPATIBILITY COULD 
BT 
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UNCLAS E F'T O FOR OFFICIAL USE ONLY 
SECTION TWO OF THREE SECTIONS 
CITE:; //1301// 

PASS:; NIC WARNING STAFF .TO NATIONAL WARNING COMMUNITY; JTF-CND 
•APPROPRIATE DOD FACILITIES, .SERVICE COMPONENTS/AND TARGET' 
LOCATIONS y | 

SUBJECT:;. 

TEXT CONTINUES:- 

GREATLY' INCREASE THE. POTENTIAL FOR DAMAGE TO NETWORK 
INFRASTRUCTURE.; THE PREVIOUS VERSION ONLY' AFFECTED WINDOWS .95/98 
MACHINES, 'GENERALLY. 'USED AS NETWORK. CLIENTSHOWEVER,- INFECTION 
OF NETWORK SERVERS (COMMONLY. RUNNING .WINDOWS NT) COULD 
DRAMATICALLY'INCREASE THE'POTENTIAL IMPACT OF/AN INFECTION IN 
TERMS OF BOTH DATA; LOSS AND 'CONNECTIVITY DISRUPTION: 

B.- (FOUO) THE EXPECTED COMBINATION OF OPEN SOURCE'CODE AND .PLUG¬ 
IN ARCHITECTURE WOULD MAKE BACK ORIFICE 2000 POTENTIALLY MORE 
DESTRUCTIVE-AND'DIFFICULT TO ERADICATE. THAN ITS PREDECESSOR., THE 
ORIGINAL BACK ORIFICE WAS FOLLOWED BY. A SMALL NUMBER OF 
THIRD-PARTY ADD-ONS;, IT APPEARS THAT CDC IS MAKING AN EFFORT TO 
ENCOURAGE THIRD-PARTIES TO ENHANCE BACK ORIFICE 2000, IN' LINE 
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WITH. THE GENERAL PHILOSOPHY OF OPEN-SOURCE PROGRAMMING ADVOCATES.:- 
EXPECT SIGNIFICANT VARIANTS TO APPEAR AFTER THE INITIAL RELEASE 
WHICH'COULD INCLUDE VARIOUS PROPAGATION -FEATURES, REMOTE 
INFORMATION TRANSMISSION, OR CORRUPTION AND DESTRUCTION OF DATA 

i 

THESE VARIANTS MAY REQUIRE ANTI>VIRUS SOFTWARE. AND NETWORK 
PROTECTION UPDATES.- ‘EXPECTED"BACK 'ORIFICE 2000- FEATURES .COULD 
EASILY' INCORPORATE CUSTOMIZED- MALICIOUS■CODE WITH THE BASIC 
PRODUCT.: 

5. - tf TQUO) RECOMMENDATIONS- BACK ORIFICE 2000 WILL LIKELY BE USED 
IN A SELECTIVE OR TARGETED MANNER SIMILAR' TO PREVIOUS NETWORK 
iSECURITY EXPLOITS.-, EXPECTED NT COMPATIBILITY .WILL MAKE CORPORATE,■ 
GOVERNMENT, AND MILITARY.' SYSTEMS INCREASINGLY ATTRACTIVE TARGETS. 
THESE COMMONLY TARGETED GROUPS SHOULD AGGRESSIVELY REVIEW AND 
MONITOR COMPREHENSIVE SECURITY MEASURES TO PROTECT AGAINST THE 
KIND OF EXPLOITS CAUSED OR/SUPPORTED BY BACK ORIFICE 2000. ; 
ADDITIONALLY, ’SUBSEQUENT MODIFICATION OF BACK ORIFICE 2000 'FOR. 
EXPANDED MALICIOUS IMPACT IS POSSIBLE, AND SHOULD BE IMMEDIATELY' 
REPORTED.- 
B'T 
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UNCLAS E F T O FOR. OFFICIAL USE ONLY 
SECTION THREE OF THREE SECTIONS 
•CITE:! //1301// 

PASS : ; NIC WARNING STAFF TO NATIONAL WARNING COMMUNITY'; JTF-CND 
■ APPROPRIATE JDOD FACILITIES,. -SERVICE COMPONENTS :AND TARGET 


LOCATIONS; 
SUBJECT:; 


TEXT CONTINUES: 



REACHED AT 


(COMMERCIAL) OR 


(CLASSIFIED) FROM; 6AM TO -11PM WASHINGTON LOCAL TIME, OR E-MAIL AT 


BT 
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FEDERAL BUREAU OF INVESTIGATION 

i 

i 

Precedence:.; ROUTINE Date: 07/22/1999 

To: Atlanta 



Title: UNSUB (S); 

AKA: DETH VEGETABLE; 

NET NINJA; 

DBA:. CULT OF THE DEAD COW;, 
MINDSPRING ENTERPRISES - VICTIM; 
INTRUSION - INFO-SYSTEMS 
IDENTITY THEFT;- 
CONSPIRACY 


b7E 

b6 

b7C 


Synopsis: It is recommend that the above captioned case be 

closed. 


Details: The above captioned group has been-in existence-since 
1984. -At lasts years DEFCON VI HACKER CONVENTION, .the- group 
released a'product called “BACK ORIFICE’.; At this years 
convention which was held on July: 10, 1999 in Las Vegas, Nevadia, 
the-group released a newer version called. ‘BACK ORIFICE 2000" . 
The product will be made available as a free download. 

{BACK ORIFICE 2000 will allow; an individual to gain 
-access to a persons computer and. retrieve- system information 
including current user, cpu type, windows version, memory usage, 
mounted disks, drive information, screen saver password,, and 
passwords cached.by users.. It will also allow the individual to 
have file system control, process control, registry control, 
network control, multimedia control, packet redirection, 
sniffing, application redirection and HTTP server.. 

BACK ORIFICE 2000 will reportedly "include several 
features not found in the original version,- including windows NT 
compatibi1ity. 


BACK ORIFICE 2000 Will likely be used in a selective or 
targeted manner similar to previous network security exploits. 







To: Atlanta Frwc: Atlanta 
Re: 288A-AT-87389, 07/22/1999' 


FBIHQ is aware of the release of the virus, file number 288-HQ- 
1234199 and they have sent out an advisory notice. 

It is recommended that each incidence be opened 
separately and worked on a case by case basis.; 




FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE 
To*; Cyber Division 

Prom:; At lan 
Approved By: 

Drafted By: 

Case ID #: 


Date:; 06/20/2003 


Attn: 



^88A-AT-87389 
288-AT-C82244 SUB FD801 A 
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Title: UNSUB (S), AKA 
DETH VEGETABLE; 

NET NINJA, 

DBA CULT OF THE DEAD COW; 
MINDSPRING ENTERPRISES - VICTIM; 
COMPUTER INTRUSION CRIMINAL 

SUBMISSION:; X Initial O Supplemental X Closed 


CASE OPENED: 12/16/1998 


CASE CLOSED: 05/25/2000 

□ No action due to state/local prosecution (Name/Number_) 

□ USA declination 

□ Referred to Another Federal Agency (Name/Number;_) 

□ Placed in unaddressed work 
X Closed administratively 

□ Conviction 


COORDINATION: FBI Field Office 

Government Agency 
Private Corporation 


VICTIM 


Companyname/Government agency: Mindspring Enterprises 
Address/location: Atlanta, GA 
Purpose of System: ISP 

Highest classification of information stored in system: Unclassified 
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of 


To: Cyber' Divisiori From: Atlanta 
Re:; 288-AT-87389, Date: -06/20/2003 


System Data: 

Hardware/configuration (CPU): 

Operating System: 

Software: 

SecurityFeatures: 

Security Software Installed:’P-yes- (identify — _ ) □. no 

Logon Warning Banner: □ yes □ no 

INTRUSION INFORMATION 

Access for intrusion:; X Internet connection □ dial-up number □ LAN (insider) 

If Internet: Internet address: 1 

Network name: 


Method: 

TechniqUe(s) used in intrusion: (list provided) 


Path of intrusion: 



addresses: 1. 2. 

3... 

4. 5. 

country: 1. 2. 

3.. 

4.- 5. 

facility: .1. 2. 

3. 

4. . 5. 

Subject: 



Age: 


Race: 

Sex: 


Education: 

Alias(s): 


Motive: 

Group Affiliation: 

Employer: 

Known Accomplices: 



Equipment used: 


Hardware/configuration (CPU): 
Operating System: 

Software: 


Impact: 

Compromise of classified information: □ yes X no 
Estimated number of computers affected: Undetermined' 
Estimated dollar loss to date: Undetermined 


2 







To: Cyber Division From: Atlanta 
Re: '288-AT-87389, Date:. 06/20/2003 


Category of Crime: 

Impairment: 

X Malicious code inserted 

□ Denial of service 

.□ .Destruction of information/software 
’□ Modification of information/software■ 

□ Telephone services obtained' 

□ > Application softvyare obtained 

□ - Operating software obtained 
Intrusion: 

X Unauthorized access - 

□ Exceeding authorized access 


Theft of Information: 

□ Classified information compromised 

□ Unclassified information compromised 

□ Passwords obtained 

■O - Computer, processing time obtained 


REMARKS 


The above captioned group has been in existence since 1984.: At; 
the 1998. DEFCON VI HACKER CONVENTION, the group released a 
product, called BACK ORIFICE.: At the annual convention held on 
July 10, '1999 in Las Vegas, Nevada, the group released a newer 
version called BACK ORIFICE 2000.. 

BACK ORIFICE 2000 allows an individual to gain access to a 
person's computer and retrieve system, information, including 
current user, cpu type, windows version, memory usage, mounted 
disks, drive.information, screen saver password, and passwords 
cached by users.; It will also allow the individual to have file; 
system control, .process control, registry control, network, 
control, multimedia control, packet redirection, sniffing, 
application redirection, and HTTP server'.. 

BACK ORIFICE 2000 includes several, features not found in. the 
original version, including windows NT compatibility’. BACK 
ORIFICE 2000 will likely' be used in a selective or targeted 
manner similar to previous network; security exploits.- FBIHQ is 
aware of the release of the virus 1 ,- file, number’288-HQ-1234199 and. 
they have: sent; out; an advisory notice.; 

•. 

Investigation failed to; develop evidence of criminal misconduct, 
that occurred within. Georgia.; Case; was closed; administratively'.; 

♦♦ 
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FD-340 (Rev. 7-29-92) 




To Be Returned □ Yes CHfo 
Receipt Given □ Yes CTfto 

Grand Jury Material - Disseminate Only Pursuant to Rule 6 (e) 
Federal Rules of Criminal Procedure 
□ Yes CTNo 

Title: 


Reference:. 


(Communication Enclosing Material) 


Descriptio n: HKWginal notes re interview of 
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Ac C (A ftp 

Tf^-fX ^ £ ffy^^ 5-^ j 

Asfe'b* usfiy 
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FCK343 (Rev. 7-29-92) 


Universal Case File Number. 5 S~8'4-~A : i 
Field Office Acauirina Evidence * At 


- g-7%^/ 


Field Office Acquiring Evidence. 
Serial # of Originating Document _ 
Date Received /$-/^7n 



To Be Returned □ Yes Kito 
Receipt Given □ Yes GET^o 

Grand Jury Material - Disseminate OnlyPursuant to Rule 6 (e) 
Federal Rules of Criminal Procedure 
□ Yes DNo 

Titl0: I^aJSul BJ / 

&(<*- C+st-r#F r r/’fe < 


Reference: 


(Communication Enclosing Material) 


Description: □ Original notes re interview of 

_V” /o 






FD-26 (R*v.. 7-20-94) 


DEPARTMENT OF JUSTICE 
FEDERAL BUREAU OF INVESTIGATION 

CONSENT TO SEARCH 


i. : I 'have^been"asked-by-Special,Agents of the Federal Bureau of 
Investigation to permit a complete search of: 



2. I have been, advised of my right to refuse consent.; 

3I give this permission, voluntarily.; 

I authorize these agents to take any items which they determine may 
be related to their investigation. 








This is to certify that on _ _ at _ 

Special Agents of the Federal Bureau of Investigation, U.S. Department of 

Justice, conducted a search of __ 

I certify that nothing was removed from my' custody by Special Agents of 
the Federal Bureau of Investigation, U.S. Department of Justice.; 


(Signed) 


Witnessed: 


_ v ..Special,Agent . ‘ ... 

Federal Bureau of Investigation 
U.S.; Department of Justice 


Special Agent 

Federal Bureau of Investigation 
U.S. Department of Justice 







FD-3*0b (Rev. 8-7-97) 


Universal Case File Number_ • 

Field Office Acquiring Evidence_ | 

Serial # of Originating Document_ i 

Date Received _ 


From 


(Name of Contributor)" 


(Address of Contributor) 



To Be Returned □ Yes □ No 

Receipt Given 0 Yes O No 

Grand Jury Material - Disseminate Only Pursuant 

to Rule 6 (e), Federal Rules of Criminal Procedure 


m 


Q Yes □ No 


Title: 


Reference: 


(Communication Enclosing Material) 


Description: □ Original notes re interview of 
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13:01:50 FD-192 Page 1 


Title and Character of Case: 

VEGETABLE, DETH 

NINJA, NET 

Date Property Acquired: 

12/18/1998 

Soureft from which Property Acquired: 
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Anticipated Disposition: 






Description of Property:; Date Entered; 


IB 1 


ONE OPTICAL DISK' 

Barcode:; E1622226 Location: ECR CAB1 01/07/1999 


. _ asxa -ar-x oar?* i 

Case Number: 288A-AT-87389-1B 
Owning Office: ATLANTA 


Evidence fotoeW 













^ i#- 1 


.rHitu _ nr _ mcrr’w 


RECEIVED BY: : 
REASON:'- COLLECTED 


RECEIVED.BY: 
REASON:: ^ 



RECEIVED 3 
REASON 


RECEIVED BY: 
REASON:- 


wzvsuuw 




tv. 

* m*/ m* m a 


REASON: 


RECEIVED BY 
REASON: 




rr^r^'T*' tv.- 

• ItoVM* « MM M • i" 


RECEIVED BY: 

-tr* c^»». 


RECEIVED EY: 
REASONS 


RECEIVED BY: 
REASON: 


RECEIVED .BY: 
REASON: 


RECEIVED BY: 
REASON: 



DATE TIME 





* fzii 
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RECEIVED 3 


1$)L • / too 

REASON:; 

- 1 /T l « J7 S> SJ S 

n^i am 




, fev;:. 
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(01/26/1998) 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE 


^ Atlanta 
From: Atlanta 

Approved By : Daulton Jack A 


Date: 12/29/98 


Evidence Technician 


Drafted By: 

Case ID 288A-AT-87389 (Pending) 

Title: DETH VEGETABLE; 

NET NINJA; 

CITA MATTERS 

Control S Room° re?0rt deia y ed entry of evidence into the Evidence 

comnn III 12 / 17 / 98 , ai * image, w^ s made of .the hard drive on a 

computer belonging to This was donp wit .£ 

oier C ?o S ?M« 0pt ^ cai / ais / K containing the image was turned 

f- k* 11 ®writer on .12/18/98.. It .has been in my custody since 
During that time I have been looking for a media 
(hard drive) large enough to restore the image. 
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1 FD-192 


ICMIPR01 
Page 1 


Title and Character of Case: 

VEGETABLE, DETH 
NINJA, NET 


.Date Property Acquired: 
12/18/1998 



operty Acquired:; 
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Anticipated Disposition:; 

Description of Property: 
IB 1 



Date Entered 


ONE OPTICAL DISK. 


Barcode:; E1622226 Location: ECR CAB1. 


01/07/1999 


Case Number:. 288A-AT-87389-1B 
Owning Office:. ATLANTA 

FD-192 

investigative 
FILE COPY t 
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